This chapter is from the book

This chapter is from the book

Objectives

Understand the principles of security management.

. In understanding information security management, there are a number of principles
you need to know to create a managed security program. These principles go beyond
firewalls, encryptions, and access control. They are concerned with the various
aspects of managing the organization's information assets in areas such
as privacy, confidentiality, integrity, accountability, and the basics of the
mechanisms used in their management.

Know what management's responsibility is in the information security
environment.

. Management cannot just decree that the systems and networks will be secure.
They must take an active role in setting and supporting the information security
environment. Without management support, the users will not take information
security seriously.

Understand risk management and how to use risk analysis to make information
security management decisions.

. Managing security is the management of risk. Knowing how to assess and manage
risk is key to an information security management program.

Know how to set policies and how to derive standards, guidelines, and implement
procedures to meet policy goals.

. Policies are the blueprints of the information security program. From policies,
you can set the standards and guidelines that will be used throughout your organization
to maintain your security posture. Then, using those standards, you can create
procedures that can implement the policies.

Set information security roles and responsibilities throughout your organization.

. From management to the users, everyone who has access to your organization's
systems and networks is responsible for their role in maintaining security as
set by the policies. Understanding these roles and responsibilities is key to
creating and implementing security policies and procedures.

Understand how the various protection mechanisms are used in information
security management.

. Protection mechanisms are the basis of the data architecture decision that
will be made in your information security program. These are the basis for the
way data is protected and provide a means for access.

Understand the considerations and criteria for classifying data.

. Protecting data is the objective of every information security program. Therefore,
we look at how that data can be classified so it can be securely handled.

Determine how employment policies and practices are used to enhance information
security in your organization.

. Even with the press concentrating on the effects of denial-of-service attacks
and viruses, the biggest threats come from within. Improving on the employment
policies and practices to perform better background checks and better handle
hiring and termination, as well as other concerns to help minimize the internal
threat, are important information security practices.

Use change control to maintain security.

. One of the jobs of a Trojan horse is to replace a program with one that can
be used to attack the system. Change control is one defense against this type
of attack. Using change control to maintain the configuration of programs, systems,
and networks, you can prevent changes from being used to attack your systems.

Know what is required for Security Awareness Training.

. The best security policies and procedures are ineffectual if users do not
understand their roles and responsibilities in the security environment. Training
is the only way for users to understand their responsibilities.

Outline

Introduction

Defining Security Principles

CIA: Information Security's Fundamental Principles

Confidentiality

Integrity

Availability

Privacy

Identification and Authentication

Passwords

Nonrepudiation

Accountability and Auditing

Keystroke Monitoring

Protecting Audit Data

Documentation

Security Management Planning

Risk Management and Analysis

Risk Analysis

Identifying Threats and Vulnerabilities

Asset Valuation

Qualitative Risk Analysis

Countermeasure Selection and Evaluation

Tying It Together

Policies, Standards, Guidelines, and Procedures

Information Security Policies

How Policies Should Be Developed

Define What Policies Need to Be Written

Identify What Is to Be Protected

Identify from Whom It Is Being Protected

Setting Standards

Creating Baselines

Guidelines

Setting and Implementing Procedures

Examining Roles and Responsibility

Management Responsibility

User Information Security Responsibilities

IT Roles and Responsibilities

Other Roles and Responsibilities

Understanding Protection Mechanisms

Layering

Abstraction

Data Hiding

Encryption

Classifying Data

Commercial Classification

Government Classification

Criteria

Creating Procedures for Classifying Data

Employment Policies and Practices

Background Checks and Security Clearances

Employment Agreements, Hiring, and Termination

The Acceptable Usage Policy

Termination

Job Descriptions

Job Rotation

Managing Change Control

Hardware Change Control

Software Change Control

Security Awareness Training

Summary

Apply Your Knowledge

Study Strategies

Even if you are not part of your organization's management team, watch
how management works in the information security environment. Take the practices
and strategies written here and look at not only how your organization implements
them, but how they can be improved. This type of lateral thinking will help
on the exam and can make you a valuable contributor to your organization's
security posture.

The notes throughout the chapter point out key definitions and concepts that
could appear on the exam. They are also key components that all managers should
understand.

This chapter covers Domain 3, Security Management Practices, 1 of 10 domains
of the Common Body of Knowledge (CBK) covered in the Certified Information Systems
Security Professional Examination. This domain is divided into several objectives
for study.

"Security management entails the identification of an organization's
information assessment and the development, documentation, and implementation
of policies, standards, procedures, and guidelines that ensure confidentiality,
integrity, and availability. Management tools such as data classification,
risk assessment, and risk analysis are used to identify the threats, classify
assets, and to rate their vulnerabilities so that effective security controls
can be implemented.

The candidate will be expected to understand the planning, organization,
and roles of the individual in identifying and securing an organization's
information assets; the development and use of policies stating management's
views and position on particular topics and the use of guidelines, standard,
and procedures to support the policies; security awareness training to make
employees aware of the importance of information security, its significance,
and the specific security-related requirements relative to their position;
the importance of confidentiality, proprietary, and private information; employment
agreements; employee hiring and termination practices; and risk management
practices and tools to identify, rate, and reduce the risk to specific resources."

Common Body of Knowledge study guide

Introduction

Security management can be difficult for most information security
professionals to understand. It is the bridge between understanding what is to
be protected and why those protections are necessary. Using basic principles and
a risk analysis as building blocks, policies can be created to implement a
successful information security program.

As part of creating that program, information security management should also
understand how standards and guidelines also play a part in creating
procedures. When doing this, every user's role and responsibilities should
be accounted for by understanding how to protect the organization's
information assets.

The role of data as a significant part of the organization's information
assets cannot be minimized. Data provides the fuel that drives your
organization, but it is the asset that is the most vulnerable. Protecting this
asset means understanding the various classifying mechanisms and how they can be
used to protect your critical assets.

This chapter covers all these issues and discusses security awareness and
managing people in your information security environment.